We are the Health Services division of AXA Health. The Health Services division is currently made up of 3 AXA Health companies – AXA ICAS Limited, AXA ICAS Occupational Health Services Limited and AXA PPP healthcare Administration Services Limited (to be renamed AXA Health Services Limited from May 2021). Over the coming months AXA Health Services Limited will become the Data Controller of information which was previously the responsibility of AXA ICAS Limited and AXA ICAS Occupational Health Services Limited. This is why you’ll see some overlap in the services below.
When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below, keep it safe and will never sell it.
Whilst there are a number of ways we collect your personal information, the two main ways are from things you tell us yourself, and from things we ask other people or organisations to share with us. Things you tell us could include information that you provide to us during conversations we have on the phone or face to face. We might also collect information about you from other people and organisations, such as your employer, other AXA Health companies, medical professionals (for example your GP), a treating specialist or physiotherapist in the form of a medical report.
We may collect personal information, such as your contact details and medical information. Please note, in certain circumstances we may need to process a large volume of medical information in order to provide the service to you or a third party, for example your employer. The information may be sensitive and confidential in nature. Where we provide services on behalf of your employer, we will not share information without your consent. We mainly use your personal information to provide you with health-related services.
You will find a non-exhaustive list of the legal grounds under data protection law that we rely on for each use of your personal information below.
We will process your personal information to provide psychological and musculoskeletal services.
If you are accessing psychological services (Stronger Minds) or musculoskeletal services (Working Body) under your private medical insurance plan or your employer’s group scheme if you receive this service as a benefit, we’ll process your personal information to deliver these services. The main legal grounds are that the processing is necessary for the performance of a contract with you or to which you are a party, and that the processing is necessary for the purpose medical diagnosis, and the provision of health care or treatment.
Your employer may instruct us to carry out health related services on health and safety grounds. The legal grounds for doing this are that the processing is in the legitimate interest of your employer and in some cases, depending on your occupation, your work colleagues and members of the public, and also that the processing is necessary for the purposes of preventative or occupational medicine.
In respect of these psychological, musculoskeletal and occupational health services, we will always seek a valid clinical consent from you in order to process your clinical information, undertake health-related assessments and to share your information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Our clinical consent processes are based on the General Medical Council (GMC) Confidentiality Guidance and the Faculty of Occupational Medicine’s Ethical Guidance, as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal information under data protection law; we do not generally use consent as our legal ground for processing personal information under data protection law.
We may process your information to provide you with gym membership or to supply you with the products that you purchase or products that your employer makes available to you through ActivePlus. The legal ground for processing is that the processing is necessary for performance of a contract.
ActivePlus also asks for your marketing preferences for its own use and use by certain companies within the AXA UK group. Your personal information may be used for marketing purposes. The legal ground for doing this is that it is in AXA UK companies’ legitimate interest, having regard to your rights, for example, not to have your information used for this purpose (and if you have agreed to receive marketing, you can change your mind at any time by contacting us).
Note: as with all provisions of health-related services, there would be other legal grounds used to process your information, for example:
We use your personal information to help us understand our business and monitor our performance.
We may provide reports to your employer, or a parent company, for example about service utilisation and workforce health trends. These reports contain aggregated data to a level which means you cannot be identified.
We may use your personal information collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal information. Where we do, we will obtain your consent beforehand where necessary.
When required, we anonymise personal information so that individuals cannot be identified, before we use it for management information and analysis of our products and services. Analysis of anonymous information provides us with insights about our business, and with opportunities to improve our products and services and the health and wellbeing of the people who use them. Analysis of anonymous information also allows us to demonstrate the value of the services we provide to our clients. The way that we anonymise personal information aligns with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data.
In order to provide our services your personal information is shared with other companies in the AXA Group, for example for our general business administration and information technology purposes (for example, as part of the anonymisation process). It is also shared when we make changes to our Group company structure.
Disclosure of your personal information to a third party outside the AXA Group will only be made when the third party has agreed to keep your information strictly confidential and to use it only for the specific purpose for which we provide it to them.
Some recipients (within the AXA Group or external to it) may be in countries outside the UK and the EEA notably in (i) Switzerland, where AXA has a European Data Centre, and (ii) India, where some administration is undertaken. Where we make a transfer of your personal information outside the UK and the EEA we will take steps to ensure that it is protected. Such steps may include placing the party we are transferring personal information to under contractual obligations to protect it to adequate standards.
In most cases, we keep your information for between three and six years after our relationship with you ends, but this varies depending on what data we hold, why we hold it and what we’re obliged to do by the regulator or the law.
You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked, or explain why we can’t - usually because of a legal or regulatory issue.
You have a number of rights in relation to our use of your personal information;
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for dealing with these requests. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.
We take steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it. Please note that this does not give you a right to require that a clinician change their professional opinion should you disagree with it.
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, please note that there may be some legal and regulatory obligations which mean that we cannot comply with your request.
In certain circumstances, you are entitled to ask us to temporarily restrict our use of your personal information, for example where you think that the personal information we hold about you may be inaccurate, whilst we investigate this or you may ask us to keep information on a restricted basis where we would otherwise delete it.
In certain circumstances, you have the right to ask that we provide you in machine readable format, or where feasible transfer to a third party, personal information that you have provided to us yourself. Once transferred, the other party will be responsible for looking after your personal information.
In certain circumstances, you have the right to object to processing of your personal information. You have an absolute right to object to use of your personal information for marketing purposes.
For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further processing of your personal information. Please be aware that clinical consent is not the same as consent under Data Protection law, so where we obtain a clinical consent this may be subject to different rules, for example those set out by the General Medical Council, and this right may not apply.
You can make any of the requests set out above by using the contact details you have been provided with for our services or alternatively as set out in section 7.
Please note that when you exercise your rights we may not be able to comply with your request for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make and if we can't comply with your request, we will tell you why.
You have a right to complain to the data protection regulators at any time about the way we use your personal information. More information can be found at the following;
If you wish to contact the Data Protection Officer the details are below:
The Data Protection Officer (Health Services, AXA Health)
23 St Leonards Road
email address: firstname.lastname@example.org
AXA ICAS Limited trading as a division of AXA Health, is a private limited company incorporated in England and Wales with company number 02548573 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.
AXA ICAS Occupational Health Services Limited trading as a division of AXA Health, is a private limited company incorporated in England and Wales with company number 01336017 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG
AXA PPP healthcare Administration Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 05961472 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.
Information about the companies in the AXA UK Group is available here.
Your personal information can help us give you a better, more personalised service. But looking after that data is a big responsibility. We take our responsibilities seriously, so we’ve introduced internationally-recognised data privacy rules to protect you. We keep your data safe, confidential and will never sell it. And, if you ask us to, we’ll tell you exactly what information we have so you can be sure it’s up-to-date and accurate.
We know that respecting the confidentiality of personal information is critical to preserving your trust and therefore have developed security procedures and we use a range of organisational and technical security measures designed to protect your personal information from unauthorised use or disclosure. We will always seek any required clinical consent to process your clinical information, undertake health-related assessments and to share that clinical information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Please be aware that clinical consent is not the same as consent under data protection law, so where we obtain a clinical consent this may be subject to different rules, for example those set out by the General Medical Council.